Episode 186

Posted on Friday, Feb 10, 2023
The Ubuntu Security Podcast is back for 2023! We ease into the year with coverage of the recently announced launch of Ubuntu Pro as GA, plus we look at some recent vulns in git, sudo, OpenSSL and more.

Show Notes

Overview

The Ubuntu Security Podcast is back for 2023! We ease into the year with coverage of the recently announced launch of Ubuntu Pro as GA, plus we look at some recent vulns in git, sudo, OpenSSL and more.

This week in Ubuntu Security Updates

212 unique CVEs addressed

[USN-5778-1] X.Org X Server vulnerabilities

[USN-5779-1] Linux kernel (Azure) vulnerabilities

[USN-5780-1] Linux kernel (OEM) vulnerabilities

[USN-5781-1] Emacs vulnerability

[USN-5782-1] Firefox vulnerabilities

[USN-5783-1] Linux kernel (OEM) vulnerability

[USN-5784-1] usbredir vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-5785-1] FreeRADIUS vulnerabilities

[USN-5786-1] GNOME Files vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5787-1] Libksba vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5782-2] Firefox regressions

[USN-5789-1] Linux kernel (OEM) vulnerabilities

[USN-5788-1] curl vulnerabilities

[USN-5790-1] Linux kernel vulnerabilities

[USN-5791-1] Linux kernel vulnerabilities

[USN-5792-1] Linux kernel vulnerabilities

[USN-5793-1] Linux kernel vulnerabilities

[USN-5794-1] Linux kernel (AWS) vulnerabilities

[USN-5787-2] Libksba vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM)

[USN-5795-1] Net-SNMP vulnerabilities

[USN-5796-1] w3m vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5797-1] WebKitGTK vulnerabilities

[USN-5792-2] Linux kernel vulnerabilities

[USN-5793-2] Linux kernel (Azure) vulnerabilities

[USN-5782-3] Firefox regressions

[USN-5796-2] w3m vulnerability

[USN-5798-1] .NET 6 vulnerability

  • 1 CVEs addressed in Jammy (22.04 LTS), Kinetic (22.10)

[USN-5791-3] Linux kernel (Azure) vulnerabilities

[USN-5793-3] Linux kernel vulnerabilities

[USN-5793-4] Linux kernel (IBM) vulnerabilities

[USN-5799-1] Linux kernel (OEM) vulnerability

[USN-5800-1] Heimdal vulnerabilities

[USN-5802-1] Linux kernel vulnerabilities

[USN-5803-1] Linux kernel vulnerabilities

[USN-5804-1] Linux kernel vulnerabilities

[USN-5801-1] Vim vulnerabilities

[USN-5804-2] Linux kernel vulnerabilities

[USN-5805-1] Apache Maven vulnerability

[USN-5795-2] Net-SNMP vulnerabilities

[USN-5808-1] Linux kernel (IBM) vulnerabilities

[USN-5810-1, USN-5810-2, USN-5810-3] Git vulnerabilities [01:16]

  • 2 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Integer overflow when parsing really long paths specified in .gitattributes
    • But depends if file is in working tree, index or both since when parsed normally the parsing is done in chunks which mitigates the vuln
    • leads to heap reads/writes -> RCE
  • Integer overflow when using a crafted format specifier for git log or git archive
    • Not too common to use random format specifiers, but how many people have wanted a prettier git log output, and copy-pasted something from stack overflow without understanding it?
    • We talk about the provenance and integrity of code for OSS / supply chain attacks - interesting to think about it from a configuration / data point of view
      • Can ChatGPT be poisoned to spit out dangerous configs?

[USN-5811-1, USN-5811-2, USN-5811-3] Sudo vulnerabilities [03:34]

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Most interesting was a vuln in sudoedit - ie the command to edit a file with sudo - launches your specified editor to edit the file
  • The editor is specified via various environment variables - SUDO_EDITOR, VISUAL or EDITOR - these would normally specify the binary of the editor to use
  • But could also include extra arguments to pass to the editor - such as additional filenames by separating them with a double hyphen --
  • As such a user could set their EDITOR=vim -- /etc/shadow - then when sudoedit launches the editor for the originally specified file, would also launch it with this file too
  • Allows a user to bypass possible restrictions set via /etc/sudoers - ie since could be configured to only allow a user to edit say the apache config via sudoedit

[USN-5812-1] urllib3 vulnerability

[USN-5810-2] Git regression

[USN-5813-1] Linux kernel vulnerabilities

[USN-5814-1] Linux kernel vulnerabilities

[USN-5815-1] Linux kernel (BlueField) vulnerabilities

[USN-5816-1] Firefox vulnerabilities

[USN-5817-1] Setuptools vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5818-1] PHP vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5819-1] HAProxy vulnerability

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5806-2] Ruby vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5820-1] exuberant-ctags vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5821-1] wheel vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5822-1] Samba vulnerabilities

[USN-5823-1] MySQL vulnerabilities

[USN-5823-2] MySQL vulnerability

[USN-5825-1] PAM vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5826-1] Privoxy vulnerabilities

[USN-5827-1] Bind vulnerabilities

[USN-5828-1] Kerberos vulnerabilities

  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5829-1] Linux kernel (Raspberry Pi) vulnerabilities

[USN-5822-2] Samba regression

[USN-5830-1] Linux kernel vulnerabilities

[USN-5831-1] Linux kernel (Azure CVM) vulnerabilities

[USN-5823-3] MySQL regression

  • Affecting Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5832-1] Linux kernel (Raspberry Pi) vulnerabilities

[USN-5833-1] python-future vulnerability

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5835-1] Cinder vulnerability

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5835-2] OpenStack Glance vulnerability

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5835-3] Nova vulnerability

  • 1 CVEs addressed in Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5834-1] Apache HTTP Server vulnerabilities

[USN-5836-1] Vim vulnerabilities

[USN-4781-2] Slurm vulnerabilities

[USN-5837-1] Django vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5839-1] Apache HTTP Server vulnerabilities

[USN-5838-1] AdvanceCOMP vulnerabilities

[USN-5837-2] Django vulnerability

[USN-5839-2] Apache HTTP Server vulnerability

[USN-5840-1] Long Range ZIP vulnerabilities

[USN-5841-1] LibTIFF vulnerabilities

[USN-5816-2] Firefox regressions

[USN-5825-2] PAM regressions

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5824-1] Thunderbird vulnerabilities

[USN-5842-1] EditorConfig Core C vulnerability [05:24]

  • 1 CVEs addressed in Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • Discovered by Mark Esler and David Fernandez Gonzalez from Ubuntu Security team
  • Will be discussed in more detail in an upcoming episode with an interview with both Mark and David - TL;DR - Mark decided to fuzz some regex handling in editorconfig-core-c whilst doing a security audit as part of the MIR process. This uncovered a few crashes which David then looked into an identified a heap buffer overflow. He then went further and was able to develop an input that would allow to jump to an arbitrary location, ie. code execution. So was able to demonstrate a heap buffer overflow that could lead to code execution from untrusted input data.
  • Will have to wait for hopefully next weeks episode to get the real inside story

[USN-5843-1] tmux vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial ESM (16.04 ESM), Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5810-3] Git vulnerabilities

[USN-5844-1, USN-5845-1, USN-5845-2] OpenSSL vulnerabilities [08:06]

  • 8 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)
  • 2 CVEs addressed in Trusty ESM (14.04 ESM), Bionic (18.04 LTS)
  • Most interesting issue was a type confusion in handling of X.509 certificates - when parsing the X.400 address would parse it as a string but other code would assume this was a simple type. As such, when comparing this to other values this would not be done correctly. Thus could bypass these checks, in particular which are used for CRL processing and that could then lead to the ability to read other memory contents or crash the application.
  • So whilst not a heartbleed (since is a lot more complicated and doesn’t allow the same level of control of the memory which is read and hence is unlikely to be able to be used to read out private keys etc)

[USN-5846-1] X.Org X Server vulnerability

  • 1 CVEs addressed in Bionic (18.04 LTS), Focal (20.04 LTS), Jammy (22.04 LTS), Kinetic (22.10)

[USN-5847-1] Grunt vulnerabilities

Goings on in Ubuntu Security Community

Ubuntu Pro GA [09:33]

  • https://ubuntu.com/blog/ubuntu-pro-enters-ga
  • https://ubuntu.com/pro
  • https://www.omgubuntu.co.uk/2023/01/ubuntu-pro-general-availability
  • In late January Canonical announced the general availability of Ubuntu Pro
    • you may have noticed this in your apt update output, e.g.: 
      The following security updates require Ubuntu Pro with 'esm-apps' enabled:
  python2.7-minimal python2.7 libpython2.7-minimal libpython2.7-stdlib
Learn more about Ubuntu Pro at https://ubuntu.com/pro
  • TL;DR - security team is now patching vulnerabilities in packages in the universe component of the Ubuntu archive
  • these patched packages get published under the esm-apps service of Ubuntu Pro
    • ESM has evolved from extended to expanded security maintenance
    • not only can you get security updates for packages in main once a release reaches the end of the LTS period, you also get security updates for packages in universe both during the LTS period and during the 5 year ESM period too
  • Ubuntu Pro gives 10 years of security support for both packages in both main and universe
  • Ubuntu Pro is free for personal use on up to 5 machines (50 if you are an Ubuntu member)
    • for commercial organisations, 30 day free trial
  • More details in Ubuntu Pro Beta overview with Lech Sandecki and Eduardo Barretto from Episode 180

Hiring [12:58]

Chief Information Security Officer

Product Marketing Manager - Security

Security Certifications Product Manager - CIS, FIPS, FedRAMP and more

Ubuntu Security Manager

  • Multiple possible focus areas:
    • Security Maintenance (CVE and vulnerability addressing life cycle)
    • Security Technology (AppArmor, Secureboot, and Cryptography)
    • Certifications and Compliance (FIPS, CIS, FedRAMP)

Linux Cryptography and Security Engineer

Security Engineer - Ubuntu

Get in contact